Linux botnets [LWN.net]

By Jake Edge
March 25, 2009

It will come as no surprise to long-time readers of this page (or others who have followed embedded device security), but recent reports of the "first Linux botnet" are making the subject of router/modem security more visible to the general public. As we have reported previously, embedded, network-facing devices make tempting targets. It appears that a botnet herder noticed that and is trying to take advantage of Linux-based devices.

Perhaps the most surprising part about the attack is the simplicity of the vulnerability it is exploiting. As far as anyone has found "psyb0t", as the botnet is known, just brute forces username/password pairs over telnet, ssh, or http. The earliest research [PDF] of the botnet was from January; at that time it was only known to be exploiting a particular ADSL modem (Netcomm NB5) that, at one time, had non-existent authorization on its WAN-facing administrative web interface.

More recently, DroneBL found more infected routers when investigating a distributed denial of service (DDOS) against its servers. The botnet is targeting Linux devices using the mipsel (MIPS little-endian) architecture, which includes many Linux-based home routers. OpenWRT, DD-WRT, and other projects all provide Linux-mipsel firmware for a variety of potentially vulnerable devices.

Once the infecting program gets access to the device, it downloads the botnet code and disables access to the device via telnet, ssh, or http.

While its method of getting access is simple, the botnet code itself is very capable. It connects to a command and control IRC channel (#mipsel) on a particular host under the control of the botnet herder. Commands on that channel can order the botnet nodes to do various denial of service attacks, scan for vulnerable MySQL and phpMyAdmin sites and subvert them, port scan particular hosts, update the botnet code, and more. The IRC channel has shut down with a message indicating that psyb0t was strictly a research project by someone known as DRS. The message also claimed that no DDOS or phishing was done and that the botnet reached 80,000 nodes.

While it may well be that the danger of this particular threat has passed, the more general issue of router, especially home router, security persists. A fully capable, always-on Linux device is a very attractive target for botnet herders or other types of attackers. Trying to put together a botnet of Linux desktops and servers might be a much more difficult task as there is a much wider diversity of distributions and kernel versions, as well as different architectures and configurations. To a great extent, the Linux-based home router landscape is much more homogeneous, as psyb0t has shown.

Clearly default and/or weak passwords are a serious problem—not just for Linux-based devices—but it would not be surprising to find that other vulnerabilities (such as authentication bypass) are available on many of these devices. Unlike a simple password change, those kinds of flaws require an update to the router firmware, which, in turn, requires users to know about the problem and understand where to get—and how to apply—the code to fix it. This is certainly a problem we have not seen the last of.

(Log in to post comments)

Missing write-protect switch!

Posted Mar 26, 2009 13:18 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Some manufacturers do ship with randomized passwords and it's good practice.

My own view is that there's an essential piece of hardware missing from such devices: the write-protect switch. Frankly, nothing containing firmware should allow that firmware to be reprogrammed, without the user first manually setting it to writeable.

If these devices shipped write-protected, any crackery could always be un-done by resetting or power-cycling the device.

Manufacturers eliminated the write-protect switch to save a few cents (and, they say, to avoid confusing their lusers). Legislators would do well to mandate it back into existence. It should be plain illegal to sell any piece of hardware missing such an obvious and cheap security measure.

Missing write-protect switch!

Posted Mar 26, 2009 14:13 UTC (Thu) by clugstj (subscriber, #4020) [Link]

Wow, government-mandated write-protect switches? You seem to have a very high level of faith in your politicians. I feel sorry for you.

Missing write-protect switch!

Posted Mar 26, 2009 14:58 UTC (Thu) by DG (subscriber, #16978) [Link]

Rebooting a device wouldn't help all that much - presumably it would get re-exploited remotely fairly quickly...

Limits of security legislation

Posted Mar 26, 2009 18:26 UTC (Thu) by copsewood (subscriber, #199) [Link]

Legislation should not try to go to that level of detail because technology changes. Legislation could be expected to attempt to define legal responsibility for security negligence which can adversely affect many people to a minor extent, or a few people to a major extent. The UK Data Protection Act requires organisations processing personal data to take appropriate security measures. It doesn't state what these are and doesn't have to. The Nationwide Building Society was fined 980,000 UKPounds for a breach of the DPA a couple of years ago, when account details of many account-holding members (one of them myself) were leaked.

Linux botnets ( the first ??)

Posted Mar 26, 2009 18:01 UTC (Thu) by smoogen (subscriber, #97) [Link]

I do not believe that this is the first Linux botnet. I mean most of the brute force SSH and PHP ones would seem to fit into this description. While they might break into Solaris/MacOS/Windows boxes running SSH, most of the binaries they try to install seem to be Linux.

One of the most common ones I have seen are the ones that brute-force ssh. If it gets into a system (most of them Linux) it would login into some Command and Control IRC system. The IRC bot would then command to see if it should rootkit itself, ssh brute force other boxes or just send out SPAM.

Another one we have seen looks for printers with embedded Linux and does similar to the psyb0t..